On Wed, Jul 30, 2014 at 10:14:34AM +0000, J.B.C. Engelen (Johan) wrote:
Op 30-07-2014 om 09:49, schreef Tavmjong Bah
<tavmjong@...47...>:
On Wed, 2014-07-30 at 00:41 -0700, Bryce Harrington wrote:
On Tue, Jul 29, 2014 at 11:11:13PM +0200, Johan Engelen wrote:
Hi all,
Is this something we want to sign up to?
https://continuousassurance.org/
After a quick browse around their website, they seem to offer a
platform
that runs static analysis tools. We can run them ourselves (and
have
done so not so long ago), but it is nice to have a website do it
for all
of us. (unfortunately, not many of us compile with clang; I gave up
the
fight on Windows a while back, and will have to try again later)
Perhaps you could drop them a line and see if they have special offers
for open source / non-profit projects like us? Coverity has done this
for various projects.
In any case, before forming an opinion on this I'd want to know the
ballpark cost, and what the results/output looks like.
I just looked, it's free.
Yes, sorry forgot to mention. This is why I suggested it.
Ah, excellent. Well, if no money expenditures are needed, then it
sounds like a regular development activity, so no board decision needs
to be made. Personally I think static analysis tools are great and
should be used. You might float your proposal on inkscape-devel@ to get
wider buy in though.
I pretty strongly believe we should move towards heavy use of these
tools, and
requiring clean builds from any branch work etc. before it is merged. We've had
many bugs that would have been easily resolved by these tools. Last time I ran
clang I got a ton of potential bugs with very few false positives. The list
included links to source and traces through source, some with 40+ decision
steps along the way.
I've signed myself up and will sign Inkscape up as a project. Let's see how it
works out.
Sounds good. Let's continue discussion about it on inkscape-devel@...89...
Meanwhile, if you have access to clang: have a look. GCC has improved
a lot too
(perhaps because of clang). clang's scanbuild is amazing. clang's
address-sanatizer is *amazing* (from what I've seen in talks), but I have not
tested it myself.
Perhaps an item for the roadmap would be to set up a consistent set of
static (and non-static) testing tools (perhaps invokable from make),
which could be run from a centralized location. (Again
though... another topic for inkscape-devel@ discussion.)
Thanks,
Bryce